home

setup{6906622a-b3de-4205-8045-7843b047c892}.exe

Creative Island Media, LLC

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser as well as modify the computer’s system settings that control applications to run on startup. Part of the Injekt brand of unwanted programs. The application setup{6906622a-b3de-4205-8045-7843b047c892}.exe by Creative Island Media has been detected as adware by 5 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d.tubedimmerapp.com. While running, it connects to the Internet address server-52-84-7-48.ord54.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
UpdaterResponse  (signed by Creative Island Media, LLC)

Product:
UpdaterResponse

Version:
3, 0, 0, 1

MD5:
91e7248d77eb211802eaf466351660ea

SHA-1:
4f3bd2a70c85d54cd2d3f13f13c43936443a2edc

SHA-256:
cc5e58d659c6f1c0341179b3a5e037562a2a9a23bac1ca3da7f1fc7936097f86

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
10/18/2024 5:15:52 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Searcher.2647
9.0.1.0117

G Data
Win32.Application.TubeDimmer
14.4.24

Reason Heuristics
PUP.Installer.CreativeIslandMedia.l
14.8.7.20

Trend Micro House Call
TROJ_GEN.F47V0417
7.2.117

VIPRE Antivirus
Injekt
28592

File size:
1 MB (1,085,304 bytes)

Product version:
3, 0, 0, 1

Original file name:
response.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\setup{6906622a-b3de-4205-8045-7843b047c892}.exe

Digital Signature
Signed by:
Creative Island Media, LLC

Authority:
VeriSign, Inc.

Valid from:
3/23/2014 8:00:00 PM

Valid to:
6/23/2015 7:59:59 PM

Subject:
CN="Creative Island Media, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Creative Island Media, LLC", L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0ED42A15C608C5CB28B1EF56CE392E5E

File PE Metadata
Compilation timestamp:
4/17/2014 12:58:58 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:2GgjK5MEIXZn7MIDO/eSF2WTIubhDz4H4AVdR1ZH:aK6Zn7MbepWIubhH4H4AVdR1ZH

Entry address:
0x9BC81

Entry point:
E8, 0A, 18, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, A8, 94, 4F, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, B0, 00, 4F, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, A8, 94, 4F, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7...
 
[+]

Entropy:
6.5786

Code size:
784.5 KB (803,328 bytes)

The file setup{6906622a-b3de-4205-8045-7843b047c892}.exe has been seen being distributed by the following URL.

http://d.tubedimmerapp.com/.../setup2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-50-112-218-190.us-west-2.compute.amazonaws.com  (50.112.218.190:80)

TCP (HTTP):
Connects to ec2-52-10-180-179.us-west-2.compute.amazonaws.com  (52.10.180.179:80)

TCP (HTTP):
Connects to server-54-230-95-132.fra2.r.cloudfront.net  (54.230.95.132:80)

TCP (HTTP):
Connects to server-52-84-7-48.ord54.r.cloudfront.net  (52.84.7.48:80)

TCP (HTTP):
Connects to server-52-84-7-36.ord54.r.cloudfront.net  (52.84.7.36:80)

TCP (HTTP):
Connects to server-52-84-7-118.ord54.r.cloudfront.net  (52.84.7.118:80)

TCP (HTTP):
Connects to server-52-84-63-143.ord51.r.cloudfront.net  (52.84.63.143:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.